The University of New South Wales School of Computer Science and Engineering

COMP9910, Research and Management Skills, session 2, 2005 Paper Reviews

Anjum Naveed 3140842

Cross-feature analysis for detecting ad-hoc routing anomalies Yi-an Huang, Wei Fan, Wenke Lee, Philip S. Yu. Proceedings 23rd International Conference on Distributed Computing Systems Pages: 478 487, May 2003

1. Domain Background Wireless Networks are an active area of research for past few years. Different types of wireless Networks are optimized based upon application requirements. Mobile Ad-hoc networks (MANETS) are a type of wireless networks where the network is established between different contributing devices without any fixed infra-structure. These types of wireless networks are important when a quick communication setup is required. Examples are crisis like earthquake where the static communication infrastructure is damaged and the military applications where static infrastructure is not possible at all. Security remains an important concern in wireless network as for the wired networks. For proper functioning of wireless networks different security strategies need to be deployed so that network can be secured from internal and external threats. Security techniques can generally be divided into two categories, Intrusion Prevention techniques whereby measures are taken to make sure that overall system is protected against malicious users and Intrusion Detection schemes whereby the system is monitored to detect any intrusions. Both techniques complement each other and proper deployment of both results in more secure systems. 2. About the Paper The paper under consideration addresses the security issues in Mobile Ad-hoc networks (MANETS). Malicious Intrusions into the network resulting in malfunctioning of MANETS are one of the security challenges. MANET routing protocols are cooperative in order for the nodes to forward the traffic for other nodes. The cooperative nature of routing protocols can be exploited to generate intrusion attacks on the network. The paper proposes a new technique, Cross-Feature Analysis, to develop Intrusion Detection System (IDS) for MANETS. Cross-feature analysis uses the correlation between different traffic and non-traffic parameters to identify the anomalies in the values of these parameters. This is one of the Intrusion Detection Techniques where by anomalies are detected by identifying abnormal behaviors in network traffic pattern. 3. Research Relevance Routing Anomalies are one of the major concerns of security in any type of Network. Security breaches resulting in routing anomalies can disrupt the whole network service. Wireless networks like MANETs, Sensor Networks and Wireless Mesh Networks are selforganizing networks. The accurate operation of routing protocols is imperative for the smooth functioning of network and service availability. Wireless Mesh Networks Operating in Client Meshing Architecture resemble MANETs. The routing protocols used for the architecture are same as for MANETs. Techniques for detecting routing anomalies in MANETs, like the one discussed in paper under consideration, can be borrowed for WMN operating in client meshing architecture.

4. Analysis The paper presents a new Intrusion Detection technique which can be effective for Mobile Ad-hoc networks. Following sub sections enlist the strengths and weaknesses of the proposed technique followed by suggestions for improvements 3.1 Strengths Proposed technique is anomaly based. Anomaly based techniques are highly effective for mobile wireless networks including MANET. Various factors like node mobility and topology change has been incorporated, making the proposed technique, highly effective and flexible. New types of attacks can easily be detected using the proposed technique because it does not require any prior knowledge about attacks for detection. The technique can easily be enhanced to include new parameters. The proposed Technique is practical for other types of wireless networks as well as wired networks. 3.2 Weaknesses The proposed Technique is local (node) Intrusion Detection technique. Overall condition of network is not considered. A number of attacks may not be detected because they do not have any local effect but can be highly critical for over all system. Technique is heavily dependent upon training data which is not available for MANETs. Frequent changes in network topology can result in a lot of false alarms. Frequent changes in network may also result in false positives. If a node is compromised, it cannot communication with the rest of network most of the times. In this case, it is not important if the node is able to detect intrusion or not. In most of the attacks, Nodes are unable to perform the necessary computation for intrusion detection. Proposed solution is computation extensive. It is not possible for wireless devices to perform extensive computation. Intrusion attacks originating from layers other than network layer will not be detected at all. 3.3 Suggested improvements Cluster based technique can be effective where by few stronger nodes (high computation power and battery reserves) are responsible for detecting intrusions for neighboring nodes. Multi-layer analysis is required in order to perform effective intrusion detection. Multi staged analysis will be effective for wireless networks as no clear zones of defense exist because of mobility and topology changes.

A cooperative intrusion detection system for ad hoc networks Yi-an Huang, Wenke Lee. Proceedings of the 1st ACM workshop on Security of ad hoc and sensor networks Pages: 135 - 147, October 2003

1. Domain Background Wireless Networks are an active area of research for past few years. Mobile wireless devices have limited battery power and computational resources. This remains a major design challenge. Optimization of Routing protocols, applications and security mechanisms such that these resources are used to bare minimum, increases the life of wireless networks. Mobile Ad-hoc networks (MANETS) are a type of wireless networks where the network is established between different contributing devices without any fixed infra-structure. Based on the applications of MANETS, it is extremely important to utilize the battery power optimistically to ensure that the network remains operational for a reasonable duration of time. Security remains an important concern in wireless network as for the wired networks. Use of MANETS in military applications specifically demands for high security of the networks, even if few devices are compromised. For a security mechanism to be successful, optimum resource consumption is as important as the efficiency of the technique itself. The very nature of wireless networks emphasizes the use of efficient Intrusion Detection techniques. 2. About the Paper The paper under consideration addresses the security issues in Mobile Ad-hoc networks (MANETS). Malicious Intrusions into the network resulting in malfunctioning of MANETS are one of the security challenges. The paper extends the local cross-feature analysis based IDS to a cluster based IDS using cross-feature analysis. This results in optimization of consuming battery power resources. 3. Research Relevance Wireless Mesh Networks deployed as community networks pose similar issues of fairness and selective misbehavior as the MANETs. Security components for Client meshing architecture of WMNs, specifically the low power self controlled network deployments, must consider the battery power limitations as the core design issue. A cooperative Intrusion Detection Technique can be adopted for wireless mesh networks to over come the limitations of battery power and computational resources. A robust cooperative technique with almost real time response can result in efficient IDS for WMNs. 4. Analysis Following sub sections enlist the strengths and weaknesses of the proposed technique followed by suggestions for improvements 3.1 Strengths Proposed technique is anomaly based. Anomaly based techniques are highly effective for mobile wireless networks including MANET. Resources are major constraint in wireless network, specifically mobile ad-hoc networks. Cluster based solution will reduce the computational overhead considerably. New types of attacks can easily be detected using the proposed technique because it does not require any prior knowledge about attacks for detection.

Paper proposes methods to extract more information about the well-known attacks; this can actually lead to identifying the attacker as well. Selection of a node as ID agent, based on clustering algorithm, results in uniform distribution of computational load on all the participating devices. This leads to efficient resource utilization. The proposed Technique is practical for other types of wireless networks as well as wired networks.

3.2 Weaknesses Response and alert generation mechanisms have not been considered at all. Response to detected intrusions can be significantly different from conventional network IDS and needs to be automated most of the time. Technique is heavily dependent upon training data which is not available for MANETs. Frequent changes in network topology can result in a lot of false alarms. The assumption of taking the snap of network parameters after certain time duration may result in certain short term attacks to cause the damage before they can be detected. In most of the attacks, Nodes are unable to perform the necessary computation for intrusion detection. Intrusion attacks originating from layers other than network layer will not be detected at all.

A security design for a general purpose, self-organizing, multihop ad hoc wireless network Thomas S. Messerges, Johnas Cukier, Tom A. M. Kevenaar, Larry Puhl, Ren Struik, Ed Callaway. Proceedings of the 1st ACM workshop on Security of ad hoc and sensor networks Pages: 1 11, October 2003

1. Domain Background Wireless Networks are an active area of research for past few years. Different types of wireless Networks are optimized based upon application requirements. Self organizing multihop wireless networks include Mobile Ad-hoc networks (MANETS), Sensor Networks, wireless personal area networks (WPANs) and wireless mesh networks (WMNs). Security remains an important concern in wireless network as for the wired networks. For proper functioning of wireless networks different security strategies need to be deployed so that network can be secured from internal and external threats. Security solutions for wireless networks are in the stage of infancy and need to be evolved considerably before any guarantees can be provided for commercial applications. Complete security solutions in form of security models can provide solid basis for building effective security solutions. 2. About the Paper A security model has been proposed for self organizing multi-hop wireless networks. The model proposes a security box which provides security services at three layers namely MAC, Network and application layer. Model introduces the concept of end-to-end security whereby security services are only provided by to communicating devices and the intermediate forwarding devices need not be concerned about security at all. The concepts of cross layer trust and cross application trust are at heart of the model. Cross layer trust means that the layer that initiates a message is responsible for securing it. If application layer initiates the message then MAC and Network layers will not consider the message for security. Cross application trust narrates that if two devices are communicating using a particular application and same devices want to communicate using another application then the existing trust for first application can be borrowed for second application and no new trust establishment procedure is required. 3. Research Relevance Wireless Mesh Networks can be viewed as self-organizing multihop Ad-hoc wireless networks. A security model developed for general purpose self-organizing multihop ad-hoc wireless network can be extended as a security model for WMNs. Adaptation of the model, however, is necessary keeping in view the proactive routing nature of WMNs specifically in infrastructure architecture. Unlike most of general purpose self-organizing multihop ad-hoc wireless networks where routing is on-demand, the routing in WMNs is based on proactive path discovery. This demands for significant changes at network layer in general models, such as one proposed in this paper, while the other layer components remain effective. 4. Analysis Following sub sections enlist the strengths and weaknesses of the proposed technique. 3.1 Strengths Security features add minimum over head on wireless devices making the model and attractive choice. End-to-end security provisioning reduces the load at intermediate forwarding devices. This is generally desirable in wireless networks.

Avoids redundancy of security operations by using the cross layer and cross application trust. Concept of caching the keys can improve the performance in case of highly mobile clients. Use of symmetric-key key establishment reduces the computational overhead as well.

3.2 Weaknesses End-to-end trust can reduce the computational over head at intermediate devices but not all the traffic is secure to be forwarded. This can actually lead to denial of service and sleep deprivation attacks if only one node is compromised. Certain attacks affect multiple layers of the protocol stack. Such attacks will be hard to detect based on cross layer trust mechanism. Similarly, the attacks that affect only a single layer (jamming attack for example) may jeopardize the network completely. Cross application trust can pose serious threats. If a single device is injected with some malicious application, it can easily spread across the whole network very quickly, resulting in complete failure. To make the security system ineffective, malicious agent needs to compromise only a single node which is trusted by few other nodes. This leads to a weak security model. The model considers the device to be secure if it has passed through the initial trust establishment procedure. This is not the case keeping in view that the device can be compromised. Idea of caching the keys at network layer and MAC layer can lead to an easy compromise if one of the clients is compromised. 3.3 Suggested improvements If the security box is used in such a way that all layers provide some security functionality, it will eliminate redundancy but multi-layer attacks will still be detected. Traffic can be divided based upon characteristics and functionality. End-to-end security may be suitable for major amount of network traffic but certain control messages should be checked at intermediate nodes as well. This will reduce the possibility of compromising whole network if one device is compromised.

Experiences in Passive Techniques for Detecting Session Hijacking Attacks in IEEE 802.11 Wireless Networks Blinded for the peer review purpose Submitted for review and publication in Australian Information Security Workshop January 2006

1. Domain Background Security remains an important concern in wireless network as for the wired networks. For proper functioning of wireless networks, different security strategies need to be deployed so that network can be secured from internal and external threats. Security techniques can generally be divided into two categories, Intrusion Prevention techniques whereby measures are taken to make sure that overall system is protected against malicious users and Intrusion Detection schemes whereby the system is monitored to detect any intrusions. Both techniques complement each other and proper deployment of both results in more secure systems. Certain types of attacks are common across all types of wireless networks. Session hijacking attack (where the attacker pretends to be a legitimate user), for example, is common to all wireless networks as well as conventional wired networks. While certain security techniques can reduce the possibility of such attacks, the possibility cannot be eliminated altogether. Detection techniques are therefore necessary to minimize the adversarial effects of attacks like session hijacking. 2. About the Paper The paper is extension to published work from same authors where they have proposed a new technique for detecting session hijacking attacks in wireless networks. The technique is based on certain properties that are unique to wireless networks. Authors propose that signal strength combined with the RTS-CTS round trip time can be measured and abrupt change in values will indicate hijacking of session. Although single parameter is enough to point out the intrusion, two parameters have been used and co-relation engine monitors both parameter values to ensure that the change is because of hijacking and not the interference or some other factor. This reduces the number of false positives and improves the accuracy and efficiency. Extensive experiments have been performed to test the solution. 3. Research Relevance Session hijacking is one of the most critical security challenges in all wireless networks specifically at application layer. The attack is also effective at network layer as well as MAC layer. The attacker can hijack a complete wireless session pretending to be a device that has already been added into trusted set of devices. This can lead to a number of other security vulnerabilities. Depriving a single wireless device from legitimate services may not disrupt the complete network but if the attacker takes further actions for example modifying routing protocols, then the whole network can be jeopardized. The applications of wireless mesh networks as community network makes session hijacking a major concern. This is based on the fact that the routing devices are deployed at the end user premises. End users mainly being non-technical are unaware of security issues or even the operation of devices. A security model for WMN must address session hijacking attacks at all layers explicitly in order to be effective.

4. Analysis Following sub sections enlist the strengths and weaknesses of the proposed technique and the research followed by suggestions for improvements 3.1 Strengths Paper is well written and properly organized with clear and logical sections and sub sections. Problem being addressed, the solution and the contribution of the paper have been mentioned explicitly. The technique (defined in previous work) is pretty unique explicitly applicable to WLANS (not all 802.11 networks though). Experiments have been conducted carefully to consider almost all possible scenarios. Paper covers very minute details about different parameters, specifically the observations about detection thresholds and single anomalies. All relevant issues like threshold optimization, single anomalies, and ROC curve of IDS have been considered with reasonable depth. Paper shows an in-depth understanding of authors about the problem and the domain. 3.2 Weaknesses Although single anomalies have been discussed, cause of single anomalies has not been considered. Single anomalies themselves point to abnormal behavior which must be addressed. The technique will not work if RTS-CTS option is not enabled. This is because corelation engine waits for RSS as well as RTS-CTS to exceed the thresholds before the alert can be generated. The authors state that attacker should be exactly at same place as STA, in order to launch the attack. This is not a valid argument. Attacker can be at some other place but still can have same values for RSS and RTS round trip time in which case the attack will go undetected. Technique will be inefficient for larger networks with many nodes because each MAC needs separate monitoring, recording and calculation of few parameters. (However, this is mentioned in future work of paper) Technique is not considered in networks with high mobility. Infect only WLANS are considered with fixed infrastructure. Section 6.1 of paper indicates that high mobility will result in more false positives. Technique may not work at all for networks with high mobility. False positives may reach 100% Signal strength influences the effectiveness of proposed IDS. What range of signal strength (Distance of STA from AP) will be properly detected, is not considered in paper. Fixed values of threshold of detection (one for RSS and one for RTS) will not work, specifically if there are many STA's scattered around at varying distances. 3.3 Suggested improvements The scenario where attacker moves side-by-side with STA such that signal strength remains reasonably close to that of STA should also be considered. This can

effectively result in comparable time for RTS round trip time too and attack can go undetected. Authors should consider the range of signal strength for with the IDS will be effective. Cause of single anomalies must be addressed. Some dynamic mechanism is required to tune the threshold values for different signal strengths. IDS should be capable of identifying which devices are using RTS-CTS handshake. In absence of RTS-CTS mechanism, IDS should be able to switch off the co-relation engine for that device.